Configuring IP Connectivity

This page describes how to configure IP connectivity for a Cloud SQL instance, by adding or removing authorized IP addresses for the instance.

For help with connecting an administration client to your instance over an IP connection, see Connecting psql Client using IP addresses.

Introduction

You can configure your Cloud SQL instance to accept connections from specific IP addresses or a range of addresses by adding authorized addresses to your instance. You can also configure your instance to refuse all IP connections, and connect only by using the Cloud SQL Proxy.

If you configure your instance to accept IP connections, you should also configure it to use SSL to keep your data secure. For more information, see Configure SSL for Instances.

Adding an authorized address or address range

To add an authorized address:

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Click Access Control.
  4. Click Add network.
  5. In the Network field, enter the IP address or address range you want to allow connections from.

    Use CIDR notation.

  6. Optionally, enter a name for this entry.
  7. Click Done.
  8. Click Save to update the instance.

gcloud

  1. Show all existing authorized addresses by describing the instance:
    gcloud sql instances describe [INSTANCE_NAME]
    

    Look for authorizedNetwork entries under ipConfiguration, and note any authorized addresses you want to keep.

  2. Update the authorized network list, including all addresses you want included.
    gcloud sql instances patch [INSTANCE_NAME] --authorized-networks=[IP_ADDR1],[IP_ADDR2]...
    

    Use CIDR notation.

  3. Confirm your changes:
    gcloud sql instances describe [INSTANCE_NAME]
    

cURL

  1. Show all existing authorized addresses by describing the instance:
    ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
           -X GET \
           https://www.googleapis.com/sql/v1beta4/projects/<PROJECT-ID>/instances/<INSTANCE_NAME>?fields=settings
    
  2. Update the instance, including all addresses you want set on the instance:
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
           --header 'Content-Type: application/json' \
           --data '{"settings" : {"ipConfiguration" :
                                  {"authorizedNetworks" :
                                  [{ "value": "<IP_ADDR1>" }, { "value": "<IP_ADDR2>" } ]}}}' \
           -X PATCH \
           https://www.googleapis.com/sql/v1beta4/projects/<PROJECT-ID>/instances/<INSTANCE_NAME>
    

    Use CIDR notation.

  3. Confirm your changes:
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
           -X GET \
           https://www.googleapis.com/sql/v1beta4/projects/<PROJECT-ID>/instances/<INSTANCE_NAME>?fields=settings
    

Removing an authorized address or address range

To remove an authorized address:

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Click Access Control.
  4. Click the delete icon Delete. for the address you want to delete.
  5. Click Save to update the instance.

gcloud

  1. Show all existing authorized addresses by describing the instance:
    gcloud sql instances describe [INSTANCE_NAME]
    

    Look for authorizedNetwork entries under ipConfiguration, and note any authorized addresses you want to keep.

  2. Update the authorized network list, dropping off any addresses you want to remove.
    gcloud sql instances patch [INSTANCE_NAME] --authorized-networks=[IP_ADDR1],[IP_ADDR2]...
    
  3. Confirm your changes:
    gcloud sql instances describe [INSTANCE_NAME]
    

cURL

  1. Show all existing authorized addresses by describing the instance:
    ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
           -X GET \
           https://www.googleapis.com/sql/v1beta4/projects/<PROJECT-ID>/instances/<INSTANCE_NAME>?fields=settings
    
  2. Update the instance, dropping off any addresses you want remove:
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
           --header 'Content-Type: application/json' \
           --data '{"settings" : {"ipConfiguration" :
                                  {"authorizedNetworks" :
                                  [{ "value": "<IP_ADDR1>" }, { "value": "<IP_ADDR2>" } ]}}}' \
           -X PATCH \
           https://www.googleapis.com/sql/v1beta4/projects/<PROJECT-ID>/instances/<INSTANCE_NAME>
    
  3. Confirm your changes:
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
           -X GET \
           https://www.googleapis.com/sql/v1beta4/projects/<PROJECT-ID>/instances/<INSTANCE_NAME>?fields=settings
    

Configuring an instance to refuse all IP connections

To configure an instance to refuse all IP connections:

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Click Access Control.
  4. Click the delete icon Delete. for all authorized addresses.
  5. Click Save to update the instance.

gcloud

  1. Clear the authorized address list:
    gcloud sql instances patch [INSTANCE_NAME] --clear-authorized-networks
    
  2. Confirm your changes:
    gcloud sql instances describe [INSTANCE_NAME]
    

cURL

  1. Show all existing authorized addresses by describing the instance:
    ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
           -X GET \
           https://www.googleapis.com/sql/v1beta4/projects/<PROJECT-ID>/instances/<INSTANCE_NAME>?fields=settings
    
  2. Update the instance with an empty address list:
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
           --header 'Content-Type: application/json' \
           --data '{"settings" : {"ipConfiguration" :
                                  {"authorizedNetworks" : [] }}}' \
           -X PATCH \
           https://www.googleapis.com/sql/v1beta4/projects/<PROJECT-ID>/instances/<INSTANCE_NAME>
    
  3. Confirm your changes:
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
           --header 'Content-Type: application/json' \
           -X GET \
           https://www.googleapis.com/sql/v1beta4/projects/<PROJECT-ID>/instances/<INSTANCE_NAME>?fields=settings
    

What's next

Send feedback about...

Cloud SQL for PostgreSQL